If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

**************************************************
First post eh. Be very careful when asking this type of quesiton.

Being very careful would entail giving more information then what is presented. Otherwise it just looks like your're trying to scam something.
**************************************************

Um... yeah. First post.

OK, more info:

I have the pleasure of maintaining a GIS server (the 2000 box mentined above), and at times must allow others local admin access on the box (for installation of software extensions, testing and development of GIS software customizations or standalone programs, etc) and am wondering what methods someone who is a member of the local admin group on this box *might* use to gain rights elsewhere on the network should they choose to do so.

Would the SAM contain domain account information? IF not a key logger would be sneaky.

The reason why more info was needed, is that many people post on this forum with similar posts, and you can never tell if ones intentions are for security reasons or say how to break into a schools computer lab.

In principle none, but in practice the keylogger method I showed above. There is a way around this:

1. Educate the domain admins to never log on as a domain admin account anywhere except the domain controllers
2. Enforce this with a policy - deny local logons to anywhere except the domain controllers to the domain admin account(s) - domain admin accounts are only required for domain user administration
3. Give each of your administrators separate accounts for different purposes - encourage them to only log on to them on specific machines - for example, a "normal" account for day-to-day stuff, a "workstation admin" account (which has admin on the workstations) and a "server admin" account with local admin on the servers.

This will cause them a lot of hassle of course. But it's the only way.

Even so, someone logging on locally as an account with local admin rights on *any* other machine in the domain, instantly gives them away to anybody else with local admin rights as soon as they log on.

The only solution that would be totally proper, would be to log on as a local admin account only, and have a different password for every machine. But it'd be terribly inconvenient.

*******************************************************
Even so, someone logging on locally as an account with local admin rights on *any* other machine in the domain, instantly gives them away to anybody else with local admin rights as soon as they log on.
*******************************************************